[docker-orchagent] limit privileged flag for swss container #17598
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Mai Bui <[email protected]>
|
/azpw run Azure.sonic-buildimage |
|
/AzurePipelines run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azpw run Azure.sonic-buildimage |
|
/AzurePipelines run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: Mai Bui <[email protected]>
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
maipbui
commented
Dec 18, 2024
| @@ -37,7 +37,7 @@ SONIC_BOOKWORM_DBG_DOCKERS += $(DOCKER_ORCHAGENT_DBG) | |||
| SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_ORCHAGENT_DBG) | |||
|
|
|||
| $(DOCKER_ORCHAGENT)_CONTAINER_NAME = swss | |||
| $(DOCKER_ORCHAGENT)_RUN_OPT += --privileged -t | |||
| $(DOCKER_ORCHAGENT)_RUN_OPT += -t --cap-add=NET_ADMIN --security-opt apparmor=unconfined --security-opt="systempaths=unconfined" | |||
There was a problem hiding this comment.
--security-opt apparmor=unconfined --security-opt="systempaths=unconfined"
These arguments are necessary for arp/test_arp_extended.py test case
arp/test_arp_extended.py:95:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
/usr/local/lib/python3.8/dist-packages/ptf/testutils.py:3250: in verify_packet
test.fail(
device = 0
pkt = <Ether dst=b'fe:54:00:a3:80:01' src=22:48:23:27:33:d8 type=ARP |<ARP op=is-at hwsrc=22:48:23:27:33:d8 psrc=192.168.0...:a3:80:01' pdst=192.168.0.3 |<Raw load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>>
port = 1
port_id = 1
result = PollFailure(device=None, port=None, packet=None, time=None)
test = <tests.common.plugins.ptfadapter.ptfadapter.PtfTestAdapter testMethod=runTest>
timeout = 10
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
self = <tests.common.plugins.ptfadapter.ptfadapter.PtfTestAdapter testMethod=runTest>
msg = 'Expected packet was not received on device 0, port 1.\n========== EXPECTED ==========\ndst : DestMACField ...00 00 00 ............\n========== RECEIVED ==========\n0 total packets.\n==============================\n'
def fail(self, msg=None):
"""Fail immediately, with the given message."""
> raise self.failureException(msg)
E AssertionError: Expected packet was not received on device 0, port 1.
E ========== EXPECTED ==========
E dst : DestMACField = b'fe:54:00:a3:80:01' ('None')
E src : SourceMACField = '22:48:23:27:33:d8' ('None')
E type : XShortEnumField = 2054 ('36864')
E --
E hwtype : XShortEnumField = 1 ('1')
E ptype : XShortEnumField = 2048 ('2048')
E hwlen : FieldLenField = None ('None')
E plen : FieldLenField = None ('None')
E op : ShortEnumField = 2 ('1')
E hwsrc : MultipleTypeField (SourceMACField, StrFixedLenField) = '22:48:23:27:33:d8' ('None')
E psrc : MultipleTypeField (SourceIPField, SourceIP6Field, StrFixedLenField) = '192.168.0.4' ('None')
E hwdst : MultipleTypeField (MACField, StrFixedLenField) = b'fe:54:00:a3:80:01' ('None')
E pdst : MultipleTypeField (IPField, IP6Field, StrFixedLenField) = '192.168.0.3' ('None')
E --
E load : StrField = b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' ("b''")
E --
E 0000 FE 54 00 A3 80 01 22 48 23 27 33 D8 08 06 00 01 .T...."H#'3.....
E 0010 08 00 06 04 00 02 22 48 23 27 33 D8 C0 A8 00 04 ......"H#'3.....
E 0020 FE 54 00 A3 80 01 C0 A8 00 03 00 00 00 00 00 00 .T..............
E 0030 00 00 00 00 00 00 00 00 00 00 00 00 ............
E ========== RECEIVED ==========
E 0 total packets.
E ==============================
``` #Closed
|
@prsunny can you help review? |
prsunny
approved these changes
Dec 26, 2024
|
@prsunny All capabilities mentioned in this table except for NET_ADMIN will be disabled https://github.com/sonic-net/SONiC/blob/master/doc/Container%20Hardening/SONiC_container_hardening_HLD.md#table-4-extended-linux-capabilities |
github-actions bot
pushed a commit
to bradh352/sonic-buildimage
that referenced
this pull request
Jan 2, 2025
…t#17598) [docker-orchagent] limit privileged flag for swss container Signed-off-by: Mai Bui <[email protected]>
github-actions bot
pushed a commit
to bradh352/sonic-buildimage
that referenced
this pull request
Jan 2, 2025
…t#17598) [docker-orchagent] limit privileged flag for swss container Signed-off-by: Mai Bui <[email protected]>
github-actions bot
pushed a commit
to bradh352/sonic-buildimage
that referenced
this pull request
Jan 2, 2025
…t#17598) [docker-orchagent] limit privileged flag for swss container Signed-off-by: Mai Bui <[email protected]>
VladimirKuk
pushed a commit
to Marvell-switching/sonic-buildimage
that referenced
this pull request
Jan 21, 2025
…t#17598) [docker-orchagent] limit privileged flag for swss container Signed-off-by: Mai Bui <[email protected]>
prabhataravind
pushed a commit
to prabhataravind/sonic-buildimage
that referenced
this pull request
Mar 5, 2025
…t#17598) [docker-orchagent] limit privileged flag for swss container Signed-off-by: Mai Bui <[email protected]>
yanjundeng
pushed a commit
to yanjundeng/sonic-buildimage
that referenced
this pull request
Apr 23, 2025
…t#17598) [docker-orchagent] limit privileged flag for swss container Signed-off-by: Mai Bui <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why I did it
HLD implementation: Container Hardening (sonic-net/SONiC#1364)
Work item tracking
How I did it
Reduce linux capabilities in privileged flag
How to verify it
Check container's settings: Privileged is false and container only has default Linux caps, and NET_ADMIN cap.
Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
Description for the changelog
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)